844 lines
18 KiB
Markdown
844 lines
18 KiB
Markdown
---
|
|
title: Release 2023.1
|
|
slug: "/releases/2023.1"
|
|
---
|
|
|
|
## Breaking changes
|
|
|
|
- Deprecated HaveIBeenPwned policy has been removed
|
|
|
|
This policy type has been deprecated since 2022.11 and was automatically migrated to the password policy with equivalent options.
|
|
|
|
## New features
|
|
|
|
- SLO Support for SAML provider
|
|
|
|
authentik now supports SAML SLO (Single logout).
|
|
|
|
- Proxy provider now accepts HTTP Basic and Bearer authentication
|
|
|
|
See [Header authentication](../../providers/proxy/header_authentication.md).
|
|
|
|
- LDAP provider now works with Code-based MFA stages
|
|
|
|
If the configured authentication flow has an authenticator validation stage which allows code-based devices, and the user attempting to login has a TOTP or Static device, they can enter their password followed by a semicolon and the authenticator code to login. SMS devices are not supported.
|
|
|
|
## Upgrading
|
|
|
|
This release does not introduce any new requirements.
|
|
|
|
### docker-compose
|
|
|
|
Download the docker-compose file for 2023.1 from [here](https://goauthentik.io/version/2023.1/docker-compose.yml). Afterwards, simply run `docker-compose up -d`.
|
|
|
|
### Kubernetes
|
|
|
|
Update your values to use the new images:
|
|
|
|
```yaml
|
|
image:
|
|
repository: ghcr.io/goauthentik/server
|
|
tag: 2023.1.0
|
|
```
|
|
|
|
## Minor changes/fixes
|
|
|
|
- \*: strip leading and trailing whitespace when reading config values from files
|
|
- admin: include task duration in API (#4428)
|
|
- blueprints: Add `!Enumerate`, `!Value` and `!Index` tags (#4338)
|
|
- blueprints: Fix resolve model_name in `!Find` tag (#4371)
|
|
- blueprints: internal storage (#4397)
|
|
- crypto: prevent creation of duplicate self-signed default certs
|
|
- events: rework metrics (#4407)
|
|
- internal: check certificate value and not IsSet
|
|
- internal: fix race condition with config loading on startup, add index on debug server
|
|
- outposts: use common config loader for outposts to support loading values from file
|
|
- polices/hibp: remove deprecated (#4363)
|
|
- providers/ldap: add code-MFA support for ldap provider (#4354)
|
|
- providers/oauth2: correctly fill claims_supported based on selected scopes (#4429)
|
|
- providers/oauth2: don't allow spaces in scope_name
|
|
- providers/proxy: add initial header token auth (#4421)
|
|
- providers/proxy: add tests for proxy basic auth (#4357)
|
|
- providers/saml: initial SLO implementation (#2346)
|
|
- root: show error when geoIP download fails
|
|
- sources/ldap: don't run membership sync if group sync is disabled
|
|
- sources/ldap: make task timeout adjustable
|
|
- sources/ldap: only warn about missing groups when source is configured to sync groups
|
|
- stages/user_write: add more user creation options (#4367)
|
|
- web: add core-js polyfill for safari
|
|
- web: migrate checkbox to switch (#4409)
|
|
- web/admin: fix certificate filtering for LDAP verification certificate
|
|
- web/admin: fix overflow in aggregate cards
|
|
- web/admin: link impersonation user for events
|
|
- web/admin: rework admin dashboard, add more links, remove user and group graphs (#4399)
|
|
- web/admin: show GeoIP information inline in events
|
|
- web/elements: fix pagination page button colours in dark mode
|
|
- web/elements: use correct Action Label for user related events
|
|
|
|
## API Changes
|
|
|
|
#### What's Deleted
|
|
|
|
---
|
|
|
|
##### `GET` /policies/haveibeenpwned/
|
|
|
|
##### `POST` /policies/haveibeenpwned/
|
|
|
|
##### `GET` /policies/haveibeenpwned/{policy_uuid}/
|
|
|
|
##### `PUT` /policies/haveibeenpwned/{policy_uuid}/
|
|
|
|
##### `DELETE` /policies/haveibeenpwned/{policy_uuid}/
|
|
|
|
##### `PATCH` /policies/haveibeenpwned/{policy_uuid}/
|
|
|
|
##### `GET` /policies/haveibeenpwned/{policy_uuid}/used_by/
|
|
|
|
#### What's Changed
|
|
|
|
---
|
|
|
|
##### `GET` /admin/metrics/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
New required properties:
|
|
|
|
- `authorizations`
|
|
- `logins`
|
|
- `logins_failed`
|
|
|
|
New optional properties:
|
|
|
|
- `authorizations_per_1h`
|
|
- `logins_failed_per_1h`
|
|
- `logins_per_1h`
|
|
|
|
* Added property `logins` (array)
|
|
|
|
Items (object): > Coordinates for diagrams
|
|
|
|
- Property `x_cord` (integer)
|
|
|
|
- Property `y_cord` (integer)
|
|
|
|
* Added property `logins_failed` (array)
|
|
|
|
* Added property `authorizations` (array)
|
|
|
|
* Deleted property `logins_per_1h` (array)
|
|
|
|
* Deleted property `logins_failed_per_1h` (array)
|
|
|
|
* Deleted property `authorizations_per_1h` (array)
|
|
|
|
##### `GET` /core/users/{id}/metrics/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
New required properties:
|
|
|
|
- `authorizations`
|
|
- `logins`
|
|
- `logins_failed`
|
|
|
|
New optional properties:
|
|
|
|
- `authorizations_per_1h`
|
|
- `logins_failed_per_1h`
|
|
- `logins_per_1h`
|
|
|
|
* Added property `logins` (array)
|
|
|
|
* Added property `logins_failed` (array)
|
|
|
|
* Added property `authorizations` (array)
|
|
|
|
* Deleted property `logins_per_1h` (array)
|
|
|
|
* Deleted property `logins_failed_per_1h` (array)
|
|
|
|
* Deleted property `authorizations_per_1h` (array)
|
|
|
|
##### `GET` /managed/blueprints/{instance_uuid}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
New optional properties:
|
|
|
|
- `path`
|
|
|
|
* Added property `content` (string)
|
|
|
|
##### `PUT` /managed/blueprints/{instance_uuid}/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
New optional properties:
|
|
|
|
- `path`
|
|
|
|
* Added property `content` (string)
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
New optional properties:
|
|
|
|
- `path`
|
|
|
|
* Added property `content` (string)
|
|
|
|
##### `PATCH` /managed/blueprints/{instance_uuid}/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Added property `content` (string)
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
New optional properties:
|
|
|
|
- `path`
|
|
|
|
* Added property `content` (string)
|
|
|
|
##### `POST` /managed/blueprints/{instance_uuid}/apply/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
New optional properties:
|
|
|
|
- `path`
|
|
|
|
* Added property `content` (string)
|
|
|
|
##### `GET` /policies/event_matcher/{policy_uuid}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `app` (string)
|
|
|
|
> Match events created by selected application. When left empty, all applications are matched.
|
|
|
|
Removed enum value:
|
|
|
|
- `authentik.policies.hibp`
|
|
|
|
##### `PUT` /policies/event_matcher/{policy_uuid}/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Changed property `app` (string)
|
|
|
|
> Match events created by selected application. When left empty, all applications are matched.
|
|
|
|
Removed enum value:
|
|
|
|
- `authentik.policies.hibp`
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `app` (string)
|
|
|
|
> Match events created by selected application. When left empty, all applications are matched.
|
|
|
|
Removed enum value:
|
|
|
|
- `authentik.policies.hibp`
|
|
|
|
##### `PATCH` /policies/event_matcher/{policy_uuid}/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Changed property `app` (string)
|
|
|
|
> Match events created by selected application. When left empty, all applications are matched.
|
|
|
|
Removed enum value:
|
|
|
|
- `authentik.policies.hibp`
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `app` (string)
|
|
|
|
> Match events created by selected application. When left empty, all applications are matched.
|
|
|
|
Removed enum value:
|
|
|
|
- `authentik.policies.hibp`
|
|
|
|
##### `GET` /propertymappings/scope/{pm_uuid}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `scope_name` (string)
|
|
> Scope name requested by the client
|
|
|
|
##### `PUT` /propertymappings/scope/{pm_uuid}/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Changed property `scope_name` (string)
|
|
> Scope name requested by the client
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `scope_name` (string)
|
|
> Scope name requested by the client
|
|
|
|
##### `PATCH` /propertymappings/scope/{pm_uuid}/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Changed property `scope_name` (string)
|
|
> Scope name requested by the client
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `scope_name` (string)
|
|
> Scope name requested by the client
|
|
|
|
##### `GET` /providers/proxy/{id}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
New required properties:
|
|
|
|
- `client_id`
|
|
|
|
* Added property `client_id` (string)
|
|
|
|
* Added property `jwks_sources` (array)
|
|
|
|
Items (string):
|
|
|
|
##### `PUT` /providers/proxy/{id}/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Added property `jwks_sources` (array)
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
New required properties:
|
|
|
|
- `client_id`
|
|
|
|
* Added property `client_id` (string)
|
|
|
|
* Added property `jwks_sources` (array)
|
|
|
|
##### `PATCH` /providers/proxy/{id}/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Added property `jwks_sources` (array)
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
New required properties:
|
|
|
|
- `client_id`
|
|
|
|
* Added property `client_id` (string)
|
|
|
|
* Added property `jwks_sources` (array)
|
|
|
|
##### `GET` /admin/system_tasks/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
Changed items (object): > Serialize TaskInfo and TaskResult
|
|
|
|
New required properties:
|
|
|
|
- `task_duration`
|
|
|
|
* Added property `task_duration` (integer)
|
|
|
|
##### `GET` /admin/system_tasks/{id}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
New required properties:
|
|
|
|
- `task_duration`
|
|
|
|
* Added property `task_duration` (integer)
|
|
|
|
##### `POST` /managed/blueprints/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
New optional properties:
|
|
|
|
- `path`
|
|
|
|
* Added property `content` (string)
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **201 Created**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
New optional properties:
|
|
|
|
- `path`
|
|
|
|
* Added property `content` (string)
|
|
|
|
##### `GET` /managed/blueprints/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `results` (array)
|
|
|
|
Changed items (object): > Info about a single blueprint instance file
|
|
|
|
New optional properties:
|
|
|
|
- `path`
|
|
|
|
* Added property `content` (string)
|
|
|
|
##### `POST` /policies/event_matcher/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Changed property `app` (string)
|
|
|
|
> Match events created by selected application. When left empty, all applications are matched.
|
|
|
|
Removed enum value:
|
|
|
|
- `authentik.policies.hibp`
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **201 Created**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `app` (string)
|
|
|
|
> Match events created by selected application. When left empty, all applications are matched.
|
|
|
|
Removed enum value:
|
|
|
|
- `authentik.policies.hibp`
|
|
|
|
##### `GET` /policies/event_matcher/
|
|
|
|
###### Parameters:
|
|
|
|
Changed: `app` in `query`
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `results` (array)
|
|
|
|
Changed items (object): > Event Matcher Policy Serializer
|
|
|
|
- Changed property `app` (string)
|
|
|
|
> Match events created by selected application. When left empty, all applications are matched.
|
|
|
|
Removed enum value:
|
|
|
|
- `authentik.policies.hibp`
|
|
|
|
##### `POST` /propertymappings/scope/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Changed property `scope_name` (string)
|
|
> Scope name requested by the client
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **201 Created**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `scope_name` (string)
|
|
> Scope name requested by the client
|
|
|
|
##### `GET` /propertymappings/scope/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `results` (array)
|
|
|
|
Changed items (object): > ScopeMapping Serializer
|
|
|
|
- Changed property `scope_name` (string)
|
|
> Scope name requested by the client
|
|
|
|
##### `POST` /providers/proxy/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Added property `jwks_sources` (array)
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **201 Created**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
New required properties:
|
|
|
|
- `client_id`
|
|
|
|
* Added property `client_id` (string)
|
|
|
|
* Added property `jwks_sources` (array)
|
|
|
|
##### `GET` /providers/proxy/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `results` (array)
|
|
|
|
Changed items (object): > ProxyProvider Serializer
|
|
|
|
New required properties:
|
|
|
|
- `client_id`
|
|
|
|
* Added property `client_id` (string)
|
|
|
|
* Added property `jwks_sources` (array)
|
|
|
|
##### `GET` /providers/saml/{id}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
New required properties:
|
|
|
|
- `url_slo_post`
|
|
- `url_slo_redirect`
|
|
|
|
* Added property `url_slo_post` (string)
|
|
|
|
* Added property `url_slo_redirect` (string)
|
|
|
|
##### `PUT` /providers/saml/{id}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
New required properties:
|
|
|
|
- `url_slo_post`
|
|
- `url_slo_redirect`
|
|
|
|
* Added property `url_slo_post` (string)
|
|
|
|
* Added property `url_slo_redirect` (string)
|
|
|
|
##### `PATCH` /providers/saml/{id}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
New required properties:
|
|
|
|
- `url_slo_post`
|
|
- `url_slo_redirect`
|
|
|
|
* Added property `url_slo_post` (string)
|
|
|
|
* Added property `url_slo_redirect` (string)
|
|
|
|
##### `GET` /sources/ldap/{slug}/sync_status/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
Changed items (object): > Serialize TaskInfo and TaskResult
|
|
|
|
New required properties:
|
|
|
|
- `task_duration`
|
|
|
|
* Added property `task_duration` (integer)
|
|
|
|
##### `POST` /providers/saml/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **201 Created**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
New required properties:
|
|
|
|
- `url_slo_post`
|
|
- `url_slo_redirect`
|
|
|
|
* Added property `url_slo_post` (string)
|
|
|
|
* Added property `url_slo_redirect` (string)
|
|
|
|
##### `GET` /providers/saml/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `results` (array)
|
|
|
|
Changed items (object): > SAMLProvider Serializer
|
|
|
|
New required properties:
|
|
|
|
- `url_slo_post`
|
|
- `url_slo_redirect`
|
|
|
|
* Added property `url_slo_post` (string)
|
|
|
|
* Added property `url_slo_redirect` (string)
|
|
|
|
##### `GET` /sources/oauth/
|
|
|
|
###### Parameters:
|
|
|
|
Added: `has_jwks` in `query`
|
|
|
|
> Only return sources with JWKS data
|
|
|
|
##### `GET` /stages/user_write/{stage_uuid}/
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Added property `user_creation_mode` (string)
|
|
|
|
Enum values:
|
|
|
|
- `never_create`
|
|
- `create_when_required`
|
|
- `always_create`
|
|
|
|
- Deleted property `can_create_users` (boolean)
|
|
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
|
|
|
|
##### `PUT` /stages/user_write/{stage_uuid}/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Added property `user_creation_mode` (string)
|
|
|
|
- Deleted property `can_create_users` (boolean)
|
|
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Added property `user_creation_mode` (string)
|
|
|
|
- Deleted property `can_create_users` (boolean)
|
|
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
|
|
|
|
##### `PATCH` /stages/user_write/{stage_uuid}/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Added property `user_creation_mode` (string)
|
|
|
|
- Deleted property `can_create_users` (boolean)
|
|
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Added property `user_creation_mode` (string)
|
|
|
|
- Deleted property `can_create_users` (boolean)
|
|
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
|
|
|
|
##### `POST` /stages/user_write/
|
|
|
|
###### Request:
|
|
|
|
Changed content type : `application/json`
|
|
|
|
- Added property `user_creation_mode` (string)
|
|
|
|
- Deleted property `can_create_users` (boolean)
|
|
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **201 Created**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Added property `user_creation_mode` (string)
|
|
|
|
- Deleted property `can_create_users` (boolean)
|
|
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
|
|
|
|
##### `GET` /stages/user_write/
|
|
|
|
###### Parameters:
|
|
|
|
Added: `user_creation_mode` in `query`
|
|
|
|
Deleted: `can_create_users` in `query`
|
|
|
|
###### Return Type:
|
|
|
|
Changed response : **200 OK**
|
|
|
|
- Changed content type : `application/json`
|
|
|
|
- Changed property `results` (array)
|
|
|
|
Changed items (object): > UserWriteStage Serializer
|
|
|
|
- Added property `user_creation_mode` (string)
|
|
|
|
- Deleted property `can_create_users` (boolean)
|
|
> When set, this stage can create users. If not enabled and no user is available, stage will fail.
|